Welcome - Sharing information with the community related to Microsoft SharePoint security, information protection and permissions. Topics will also cover identity federation, claims and software development. Articles will at times be technical and focussed at developers/architects. They will also be higher level and discuss concepts and customer use cases. Have a look around, share your thoughts and I do hope you find some helpful content.

Follow me on Twitter @AntonioMaio2

Monday, August 12, 2013

Why do Enterprises or Governments secure their information?

This post is the first in a series that will review fundamental security features in Microsoft SharePoint 2013.

When I speak about SharePoint security I often start off with a discussion about why organizations secure their information. What really drives people to implement secure measures to control and govern information? For a business owner or C-level executive it may be obvious, but for the average employee it may not be.

To be clear, this article is not intended to deal with people’s personal information. It specifically talks to how enterprises or governments deal with and secure their sensitive internal business information. So let’s begin here...

What drives people to secure information?

We’ve all heard statistics about how the information we’re creating and storing is growing at an exponential rate. Many of us now regularly measure database sizes in Petabytes. In fact, most enterprise content is unstructured data (ex. documents) which of course poses its own challenges for management and security. In a 2013 eWEEK article, Gartner analysts predicted that enterprise data will grow by 800 percent over the next five years, and that 80 percent or more of that new data will be unstructured.

We often hear how organizations are centralizing the storage and access to information in order to promote better collaboration, but for many this raises security concerns that must be dealt with – by the way, SharePoint provides just such an excellent platform on which to accomplish this. We also know that every organization has some meaningful amount of information that is considered sensitive. We often hear about how that sensitive information must be secured, controlled and governed.

However, for many individuals who own or have responsibility for this information usually treat its security as an afterthought. Why is that? With all the statistics and talk about the amount of information we’re generating, how centralizing it promotes collaboration but raises security concerns and with the large amount of that information that’s considered sensitive to organization, why is its security not top of mind.

From my experience in the security industry over the last 15 years, working with many large organizations around the world and with many individuals who own content or are responsible for content, I’ll put forward a theory: people feel a true need to secure information when they have a personal connection to it, when they truly understand the risk which exposure of that information poses and when the impact of such an exposure affects them directly.

Rarely do people secure information for the good of securing information or because it’s the right thing to do. There are of course exceptions, but in general people are looking out for themselves, not the good of the organization. This isn’t a pessimistic view. I believe it’s just natural human behavior... at least it is today. Culture is slowly changing on this front so who knows how people will feel or think of securing information in the next few years.

Let me summarize the cases in which I have seen people really driven to secure their information. I have found that certain people (outside the security industry) will be driven to secure information for very specific reasons. I’ve categorized each as a set of risks and summed them up in a high-level driver.

1. Reducing Your Liability
For many industries, the exposure of sensitive corporate information can have very negative impacts to business. The risks include:

Compliance violations that result in extremely heavy fines (depending on the industry)

Sanctions and legally imposed restrictions on business

Loss of business reputation (this could be bad PR and of course possibly result in loss of customers)

These are of course very significant risks to the business - they are liabilities to the business. I group these types of risks under “Reducing your liability”.

Exposure of this type of information may be malicious, but more likely it will be inadvertent or accidental. A business owner or a C-level executive will likely be very concerned about such risks and be driven to secure sensitive information in order to protect the business. Business owners, C-level executive, board members are typically very motivated to reduce these liabilities. This is typically because they are better positioned to understand the risk and the impacts can directly affect them personally (bottom line, law suits, the buck stops with them, loss of employment, etc.).

The same risks exist for government departments, when you consider government departments can have their budgets cut, such exposures can hit the media very hard or department heads can lose their jobs.

The average employee may or may not be concerned about these risks to the business or department. Depending on the employee, they very likely don’t even understand how these impacts can affect the business nor what information is sensitive to the business.

2. Protecting Your Investments
This particular category of risks typically applies to enterprises, much more so than governments. The risks include:

Compromising of internal (or external) business systems – which could have a trickle-down effect of loss of customers of course

Once again, a business owner or C-level executive will likely be very concerned about such risks and be driven to secure sensitive information in order to protect the business. This type of data loss or exposure of sensitive information can greatly affect the business’ performance. For these types of individuals their compensation or bonus is typically highly tied to the business’ performance. A CIO or CISO will typically be measured critically (or terminated) when these types of exposures occur.

For a typical employee, although part of their salary/bonus might be tied to company performance that percentage is typically much lower than that of executives. As well, they often will not understand which information is sensitive and how the loss of that information will affect the business. Unless you have a clear way to identify which information is sensitive and can effectively educate employees on how they should handle that information, their ability (and desire) to help protect against data loss will be limited.

3. Public Safety or Mission Success
This category typically applies to government agencies like departments of defense throughout the world, Homeland Security in the US, as well as other government departments. The risks include:

Exposure or theft of classified mission data (which can compromise military missions and endanger personnel)

Exposure of homeland security information (which can endanger the general public)

Compromising of critical government services and security systems

In these cases, the personnel that deal with the data involved are typically well trained in how to handle this type of sensitive information. As well, often people go into these areas of work because they have a desire to be part of the public service, or they wish to work in a military or service that protects the public safety. As such, this particular category may be an exception to the theory I put forward earlier.

There have been some high profile leaks of classified government information in the last few years, but in general the people that work and deal with this type of information do tend to protect it because they understand the very negative and dangerous impacts that can happen with its exposure and because typically protecting this information is the right thing to do.

4. Health Information
This represents a new risk category in recent years that I’ve been researching lately. I’ve been to a few sessions that specifically talk about the impacts that can occur when personal health information is stolen or exposed. This leans more towards the personal information side (which I said I wasn’t going to talk about) because we are talking about personal health information. However, it’s included here because it affects the companies and government agencies which store/manage that information.

For example, in the state of Florida a personal health identity can be illegally purchased for approximately $56,000. For a non-insured individual purchasing such an identity they can make use of it to illegally get health care, causing the original owner of that insurance plan to have their premiums used without their knowledge. Even more dangerous than that, the person illegally using the health identity can cause data within the health record to be modified. For example, if their blood type is type A and that gets applied to the original health record, but the original owner has type B-negative. If the original owner of the insurance plan is then in an accident and needs a transfusion, this record modification could have extremely dangerous consequences.

In this case, government agencies and health care organizations that manage personal health information must insure that proper security measures are put in place in order to prevent these types of risks or exposures from happening. In these cases, typically both the administrators and the employees working in the health care industry do care about these types of risks, and are starting to get a sense for the very dangerous impacts that can occur. The health care industry has traditionally been slow to adopt technology solutions, but that has been changing in recent years.

Overall
(I realize this first post in fact has nothing to do with SharePoint, but I believe these concepts are important to understand when we generally look at implementing security measures.)

To summarize, in many businesses and organizations the average person tends to feel a true need to secure information when they have a personal connection to it, when they truly understand the risk which exposure of that information poses and when the impact of such an exposure can affect them directly.

The ideal situation in any organization would be if each and every individual does in fact care about securing and properly handling sensitive information. This is really what we should be striving for, and many of organizations are starting to tackle this head on.

We have found that the best way to achieve that is to involve all employees in the organizations security strategy. This is done through education, as well as traditional security mechanisms - education of employees so that they understand which information is sensitive and how they should handle it, and so that they are aware of the very real impacts of information exposure, both to the business and to them personally. As well, make employees accountable when they handle sensitive information, and that accountability needs to be obvious (for example, if someone prints a sensitive document their name should be stamped all over it, so that if they leave it in a hall way everyone knows who left it).

This type of education and accountability helps ensure all employees feel the real need to secure the organizations information and its one of the best lines of defense against both inadvertent and malicious exposure of sensitive information.

No comments:

Post a Comment

About Me

Antonio Maio is an information security architect with over 25 years of experience in cyber security practices and systems, product management, software development and leadership. Antonio is currently a Senior Manager and Senior SharePoint Architect with Protiviti. He has been awarded a Microsoft Most Valuable Professional award for 5 consecutive years, from 2012 to 2016, specializing in Microsoft SharePoint Server, Office 365 and Office Services. His background includes implementing cryptography and PKI systems, information security technologies, and both information governance and cybersecurity best practices. His experience with Microsoft SharePoint and Office 365 extends over the last 10 years. When he’s not helping enterprise, military or government organizations solve security challenges, you can catch him speaking at conferences or contributing to the community through this blog. In his spare time, Antonio likes to oil paint, run, make wine, read and spend time with his family.